合并 pcap 包
wireshark 界面合并
- 打开 1 个 pcap 包
2.菜单栏:File->Merge->选择另一个 pcap 包
查看 2 个包的时间关系
- File -> Save as …
mergecap 工具合并
该工具的路径一般为 /usr/bin/mergecap,如果没有,可在 wireshark 的安装目录下寻找。
使用方法:
mergecap [options] -w <outfile>|- <infile> [<infile> ...]
(base) qiancj@qiancj-HP-ZBook-G8:~/tools$ ./merge_cap-x86_64.AppImage -h
Mergecap (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)
Merge two or more capture files into one.
See https://www.wireshark.org for more information.
Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]
Output:
-a concatenate rather than merge files.
default is to merge based on frame timestamps.
-s <snaplen> truncate packets to <snaplen> bytes of data.
-w <outfile>|- set the output filename to <outfile> or '-' for stdout.
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.
an empty "-I" option will list the merge modes.
Miscellaneous:
-h display this help and exit.
-v verbose output.
测试:
Example
./merge_cap-x86_64.AppImage -w /home/qiancj/Documents/data/pcap/merge_test/merge_randy.pcap /home/qiancj/Documents/data/pcap/merge_test/*.pcap
(base) qiancj@qiancj-HP-ZBook-G8:~/tools$ ./merge_cap-x86_64.AppImage -w /home/qiancj/Documents/data/pcap/merge_test/merge_randy.pcap /home/qiancj/Documents/data/pcap/merge_test/*.pcap
(base) qiancj@qiancj-HP-ZBook-G8:~/tools$ ll /home/qiancj/Documents/data/pcap/merge_test
total 9552536
drwxrwxr-x 2 qiancj qiancj 4096 4月 19 17:41 ./
drwxrwxr-x 5 qiancj qiancj 4096 4月 19 17:10 ../
-rwxrwxr-x 1 qiancj qiancj 1984666815 4月 12 13:51 1_00001_20230412101926.pcap*
-rwxrwxr-x 1 qiancj qiancj 2878536895 4月 12 14:35 1_00014_20230412103200.pcap*
-rw-rw-r-- 1 qiancj qiancj 4918569132 4月 19 17:41 merge_randy.pcap
wireshark 打开 merge_randy.pcap 文件,查看合并后的文件
与用UI界面一致!
欢迎关注公众号【三戒纪元】
2695
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
